NIC goes digital

Identity – is akin to self. At one time or another in life, we are required to prove it as well. The easiest way to prove one’s identity comes in the form of identification documents such as the birth certificate, driving licence, national identity card (NIC) and passport. When it comes to authenticated identity documentation Sri Lanka takes the lead among South Asian countries, and now, the country has taken another progressive step in keeping with global trends.

It is time to say goodbye to the simple laminated NIC, issued by the Department for Registration of Persons (DRP) that we, Lankans carried for 45 years and to move on to a trendy electronic or digital identity card (e-NIC) where one’s bio data as well as biometrics is recorded digitally.

The DRP is geared and ready to issue the new e-NIC to the citizenry, says Commissioner General, Viyani Gunathilaka. As the first step to the issuance of the e-NIC, new applicants were issued with the e-NIC without the biometrics or the image imprint on Friday, October 27. The smart-looking NIC is called the ‘suhuru’ or SMART Card.

The SMART Card provides much wanted technological advancements to a department which admits that they are bombarded continually with counterfeit IDs. “The 100 percent polycarbonate card with laser engraving is absolutely hard to forge,” says Gunathilaka. It is welcomed by the public who are robbed of their NICs by smart forgery.

The Department receives over 1,500 applications for NICs under its ‘one day service’ and over 5,000 under the regular service, per day. While the previous system enabled the Department to issue 4,000-5,000 NICs on a daily basis, with the new technological advancements, the department would be able to better meet public demand, says Gunathilaka. Further, the DRP plans to issue NICs through a decentralized system soon.

According to Gunathilaka, the SMART Card issued on Friday, is an “interim measure” paving the way for the e-NIC, which will be introduced by end 2018. With the introduction of the e-NIC, Sri Lanka falls into the ‘futuristic’ one third of the countries of the world. Fifty nine, out of the 195 countries in the UN have already issued or plan to issue digital identity cards by end 2018. While countries such as Estonia and the United Arab Emirates hailed for their march towards e-governance have made the digital ID mandatory for its citizens, others such as France and the United Kingdom have bowed their heads to the appeals and opposition of the public and opted out of the process. Some such as Russia, India and Pakistan had stalled due to predicaments faced during the process. Of the countries that operate a ‘successful’ digital ID program, Estonia allows the public to have control over who accesses their data and to what extent. However, some other countries use this digital identification as a surveillance mechanism by placing traceable radio frequency identification chips therein.

Sri Lanka required amendments to the Registration of Persons Act No. 32 of 1968 to pave the way for the e-NIC. The country created a National Register of Persons (NRP), under the purview of the Commissioner General (CG), Department for Registration of Persons through the Registration of Persons (Amendment) Act No. 8 of 2016, passed in Parliament on June 21, 2016. The legislation and regulations thereafter, published in the Gazette Extraordinary No. 2021/28 of May 31, 2017, came into force on August 22, 2017.

How would the e-NIC be used?

The e-NIC will enable the public to establish one’s identity easily; gain services offered by government institutions quickly and easily; ensure one’s security; and confirm family information, states the DRP website. In addition it “can support in the process of building a prosperous nation”.

Benefits for the public

1. You can establish your identity easily

2. It helps gain services offered by government institutions, quickly and easily

3. The e-NIC ensures your security

4. When information of your family has to be confirmed, the identity card will be of assistance

5. The e-NIC can support in the process of building a prosperous nation

The change is welcome. The benefits, provided they materialize, are also welcome. However, the public fears that it is a violation of privacy. At an age where ‘hackers’ are rampant in every possible field – be they finance, property, defence, education, business, politics and so on; the concern is whether ‘personal information’ gathered by the DRP could be used in a detrimental manner. Questions are many and the concerns are valid. What the public has not yet received from competent authorities is clarity and transparency regarding the objective of the data collected and accountability on data security.

For instance, there is a vast change in the amount of personal data collected through the previous NIC documentation and those under the new NRP. The Gazette 2021/28 of May 31 2017 stipulates that following data need be collected by the DRP (Box 2) along with the printing of all 10 fingers as biometric data, a photograph and an image taken according to the (ICAO) standards. Furthermore, it is mandatory for the public to inform the Commissioner General of the DRP of any changes to the information provided within 6 months of its occurrence.

The Sri Lankan e-NIC program is distinctive in its requirement of family data. For it is made compulsory for the applicant to provide NIC numbers of parents or guardian, spouse and children in case of married individuals, and siblings for those who are single. The explanation of the DRP regarding such data is “To collect personal data of persons as a family unit and establish a national persons registry and a central database with bio data of all persons of 15 years or above, their biometrics and photographs obtained according to ICAO standards,” according to the DRP website. However, the competent authority to this date has not come forward with the objective, or the end-use of this data except to say that the general public will benefit in confirming the family data.

If an authority such as the DRP needs to be involved in confirming such data, it must be of great value to the public in a country where living with the extended family is still the norm. Of course, it is imperative in Sri Lankan culture, whatever the ethnic background, to confirm and establish family data before one gets married. Other significant instances where family connections need to be confirmed are when establishing an individual’s medical history, adoption or parentage, in settling land disputes; in the event of writing biographies or if involved in the hobby of creating family trees.

But, would the public be able to get their own family data for such purposes? The DRP head says nay. The CG is authorized only to say Yes or No, confirming or refuting an e-NIC number connected with a name.

“Under the new amendment and regulations DRP is only authorized to certify information. Disclosure of information is restricted under section 39,”says the CG.

Under the new section 39B of the Act the CG or a prescribed officer is authorised to issue a certified copy of the NIC to an individual upon a written request; to certify the authenticity of the particulars of an NIC holder on a written request from a public officer or with the consent of the card holder upon a written request made by a prescribed authority.

Disclosure

This stringent protection is raised only when it comes to national security, crime and court orders. Under section 39C of the Act, in the interest of national security; for the prevention or detection of crimes; and by any order or direction of a court the CG is authorised to “disclose any information relating to a registered person recorded in the National Register of Persons, to a public officer or authority, where such disclosure is necessary,” not withstanding any other provision of the Act.

Therefore, the public could rest assured for under the Act, the CG of the DRP and the staff could be held liable and responsible for any unlawful disclosure of information.

However, in this digital era, data from highly secure defence systems or financial conglomerates to that of personal e-mail addresses is attacked by hackers. How does Sri Lanka fare in the protection of data in the digital regime? According to DRP Head, the cyber security component of the project is looked into in collaboration with experts of the Universities of Moratuwa and Colombo. The DRP plans to obtain development and maintenance services from the private sector, once the technical specifications are finalized. Data management and maintenance will be carried out by the management unit of the e-NIC project.

Nonetheless, data is a highly valued item, the more data stored in one place, the more vulnerable it is. The digital ID projects of Pakistan, India and Russia are proof for the exceeding care and security needed for such projects. Though a highly developed system, the Estonian e-ID came under the attack of hackers last year. The Sunday Observer, sought expert opinion on cyber security required for an extensive project such as the e-NIC which involves data of over 20 million individuals.

Security to begin at the point of planning

“Digitization is the future. But it has to go hand in hand with security,” opines cyber security expert Boshan Dayaratne, Group Director/CEO of CICRA Holdings.

Security should begin at the point of planning the data to be collected. While minimizing the data would curtail the risk, when storing; both defensive and offensive cyber security methods could be used. Furthermore, security needs be physical as well as cyber, to prevent no break-ins, he advises.

Attacks would come in various ways including stealing, changing data, shut downs, denial of service and de-facing. “All these need to be looked into before the system is in place. Who has the ability to access the data and up to which point, is important. Limited access and access audits would minimize the threat,” he says giving the example of mobile phone data. Though a name attached to a mobile phone number or vice versa was availed at a phone call a few years ago, stringent protocol and law enforcement had brought it to an end.

Another important aspect is “to have a multilayered defence mechanism preventing easy attack, and exhausting targeted attacks,” he advises. Thinking from an offender’s point of view would be advantageous. “Ethical hacking,” might be another method that could be employed.

Furthermore, the owner should also have data loss solutions embedded in the program to highlight unauthorized access; intentional and unintentional data leakages and deliberate changes to records, he suggests.

At the recently concluded 5th Cyber Security Summit organised by CICRA Holdings, it was revealed that during a period of 6 years there were over 43,000 individual data leaks in 32 sectors, a portion of the 2,500 security breaches found in the Sri Lankan cyber domain. Therefore, cyber security is a valid concern in Sri Lanka.

“Before a system is implemented or data collected the security protocol and system should be presented to the public for confidence building,” he opines. Policy makers should look into the security of the data obtained from citizens “deeply and seriously. Not only on the aspect of cyber security but in providing physical security as well. They have to be very careful otherwise loss of confidence could bring the government to disrepute.

In case of any breach in the data, what are the mitigatory measures available to the public? The Sunday Observer sought legal advice from a consultant involved in Computer Crimes litigation.

Awareness creation among public sector officials

“Though Sri Lanka doesn’t have a crosscutting data protection law; the country has taken a sectoral approach to data protection, with the Banking Act as well as Licences issued under the Telecommunications Act defining how customer data should be protected,” says Jayantha Fernando, Director and Legal Advisor, Information and Communication Technology Agency (ICTA). Where the new e-NIC related activities are concerned data protection regime seems to be built into the Registration of Persons (Amendment) Act No. 8 of 2016 itself, he opines.

“Sri Lanka seems to have had a comprehensive detailed law from 1968 making it mandatory for any person reaching a prescribed age to register and obtain a personal identification. The Registration of Persons (Amendment) Act No. 8 of 2016 authorizes the Commissioner General to maintain a “National Register of Persons”(Section 6). The model that is in Sri Lanka seems to be quite comprehensive and unique . It is a fairly detailed regime that has been developed after many years of preparation, and could be an advanced system not found in many developing countries. Many countries don’t have a unified system, like in Sri Lanka and the responsibility has been statutorily given to Commissioner-General and staff of the Dept of Registration of Persons”.

“Where data protection is concerned the amendment stipulates stringent guidelines on information disclosure (Section 39 B, C, E & F Registration of Persons Act No. 32 of 1968). Security control measures could be introduced to protect the data base electronically or otherwise”. However, Fernando suggested that policy level measures may need to be taken to safeguard and protect personal data in the National Register of Persons. “For example, Regulations could be made under Section 8(2) and 24 of the Electronic Transactions Act, which was recently amended, to introduce control and security procedures to ensure confidentiality and integrity of the data stored in electronic form. This should be coupled with a stringent Information Security policy that should be followed by the Dept of Registration of Persons” he suggested.

Are we ready?

If such measures are introduced then the information in the National Register of Persons could be protected by the Computer Crimes Act No.24 of 2007 says Fernando. “More awareness is needed to be created among public sector officials to protect data and information regarding citizens and liabilities under Section 10 of the Computer Crimes Act”.

Sri Lanka is the first in South Asia to ratify the Budapest Cybercrime Convention after which the law enforcement officers were trained in a rigorous manner, under the EU/ Council of Europe Project “Global Action on Cybercrime”. Sri Lankan Police units are well equipped to investigate cyber crime, Fernando said. Sri Lanka’s accession to the Budapest Convention has set the stage for us to consider Data protection regulations similar to the Data Protection Convention, subject to consensus among key stakeholders.

According to the time-line drawn by the Department, it still has another year or more, to issue the e-NIC. However, are we ready? Or are we in true Sri Lankan fashion placing the cart before the horse?

The important factor is to understand that the Registry of Persons would hold all the personal data of Sri Lanka’s total population. Therefore the competent authority needs to be cautious. Heeding the travails and learning from the best practices of other countries would be a good approach.

Today, we are at the point of jubilation with the issue of the SMART Card. The next step is the e-NIC.

However, it seems that an honest dialogue between the main stakeholder – the public, the owners of the data and the party to which the data is submitted is needed now.